From fdd85fb7355d43cf185d79d1f35de9d7d647e0c5 Mon Sep 17 00:00:00 2001 From: Elizabeth Hunt Date: Thu, 4 Jan 2024 01:40:27 -0500 Subject: add sso login --- .env.sample | 2 + README.md | 7 + deploy-authelia.yml | 4 + deploy-vpn-tags.yml | 23 ++ group_vars/vpn.yml | 4 +- inventory | 3 + roles/authelia/files/authelia/.gitignore | 2 + roles/authelia/tasks/main.yml | 30 +++ roles/authelia/templates/docker-compose.yml.j2 | 17 ++ roles/common/tasks/main.yml | 6 + roles/nameservers/tasks/main.yml | 3 +- roles/nameservers/templates/db.simponic.xyz.j2 | 4 +- roles/vpn/files/config/config.yml | 296 --------------------- roles/vpn/tasks/main.yml | 14 +- roles/vpn/templates/config.yml.j2 | 288 ++++++++++++++++++++ roles/webservers/files/nginx.conf | 2 + .../files/nijika/http.authelia.simponic.xyz.conf | 13 + .../files/nijika/http.headscale.simponic.xyz.conf | 4 +- .../files/nijika/https.authelia.simponic.xyz.conf | 57 ++++ roles/webservers/tasks/main.yml | 3 + 20 files changed, 473 insertions(+), 309 deletions(-) create mode 100644 .env.sample create mode 100644 README.md create mode 100644 deploy-authelia.yml create mode 100644 deploy-vpn-tags.yml create mode 100644 roles/authelia/files/authelia/.gitignore create mode 100644 roles/authelia/tasks/main.yml create mode 100644 roles/authelia/templates/docker-compose.yml.j2 delete mode 100644 roles/vpn/files/config/config.yml create mode 100644 roles/vpn/templates/config.yml.j2 create mode 100644 roles/webservers/files/nijika/http.authelia.simponic.xyz.conf create mode 100644 roles/webservers/files/nijika/https.authelia.simponic.xyz.conf diff --git a/.env.sample b/.env.sample new file mode 100644 index 0000000..c3e0e81 --- /dev/null +++ b/.env.sample @@ -0,0 +1,2 @@ +HEADSCALE_PREAUTH_KEY= +HEADSCALE_OIDC_SECRET= diff --git a/README.md b/README.md new file mode 100644 index 0000000..c91b725 --- /dev/null +++ b/README.md @@ -0,0 +1,7 @@ +order: + - common.yml + - deploy-nameservers.yml + - deploy-webservers.yml + - deploy-authelia.yml + - deploy-vpn.yml + - deploy-vpn-tags.yml diff --git a/deploy-authelia.yml b/deploy-authelia.yml new file mode 100644 index 0000000..4942330 --- /dev/null +++ b/deploy-authelia.yml @@ -0,0 +1,4 @@ +- name: authelia setup + hosts: authelia + roles: + - authelia diff --git a/deploy-vpn-tags.yml b/deploy-vpn-tags.yml new file mode 100644 index 0000000..9e281ab --- /dev/null +++ b/deploy-vpn-tags.yml @@ -0,0 +1,23 @@ +- name: prod headscale tags + hosts: prod + tasks: + - name: add prod tags to prod servers + include_role: + name: artis3n.tailscale + vars: + tailscale_args: "--login-server='https://headscale.simponic.xyz'" + tailscale_authkey: "{{ lookup('env', 'HEADSCALE_PREAUTH_KEY') }}" + tailscale_tags: + - "prod" + +- name: private headscale tags + hosts: private + tasks: + - name: add private tags to private servers + include_role: + name: artis3n.tailscale + vars: + tailscale_args: "--login-server='https://headscale.simponic.xyz'" + tailscale_authkey: "{{ lookup('env', 'HEADSCALE_PREAUTH_KEY') }}" + tailscale_tags: + - "private" diff --git a/group_vars/vpn.yml b/group_vars/vpn.yml index eb264d0..ddf8081 100644 --- a/group_vars/vpn.yml +++ b/group_vars/vpn.yml @@ -1,2 +1,4 @@ --- -headscale_users: ['simponic'] +headscale_oidc_secret: "{{ lookup('env', 'HEADSCALE_OIDC_SECRET') }}" +headscale_allowed_users: + - "elizabeth.hunt@simponic.xyz" diff --git a/inventory b/inventory index d880d2a..1a1b4a1 100644 --- a/inventory +++ b/inventory @@ -25,6 +25,9 @@ nijika ansible_user=root ansible_connection=ssh [vpn] nijika ansible_user=root ansible_connection=ssh +[authelia] +nijika ansible_user=root ansible_connection=ssh + [dnsinternal] johan ansible_user=root ansible_connection=ssh diff --git a/roles/authelia/files/authelia/.gitignore b/roles/authelia/files/authelia/.gitignore new file mode 100644 index 0000000..53c78ad --- /dev/null +++ b/roles/authelia/files/authelia/.gitignore @@ -0,0 +1,2 @@ +users_database.yml +configuration.yml diff --git a/roles/authelia/tasks/main.yml b/roles/authelia/tasks/main.yml new file mode 100644 index 0000000..c9abe44 --- /dev/null +++ b/roles/authelia/tasks/main.yml @@ -0,0 +1,30 @@ +--- +- name: ensure authelia docker/compose exist + file: + path: /etc/docker/compose/authelia + state: directory + owner: root + group: root + mode: 0700 + +- name: copy authelia config + copy: + src: ../files/authelia + dest: /etc/docker/compose/authelia/ + owner: root + group: root + mode: u=rw,g=r,o=r + +- name: build authelia docker-compose.yml.j2 + template: + src: ../templates/docker-compose.yml.j2 + dest: /etc/docker/compose/authelia/docker-compose.yml + owner: root + group: root + mode: u=rw,g=r,o=r + +- name: daemon-reload and enable authelia + ansible.builtin.systemd_service: + state: restarted + enabled: true + name: docker-compose@authelia diff --git a/roles/authelia/templates/docker-compose.yml.j2 b/roles/authelia/templates/docker-compose.yml.j2 new file mode 100644 index 0000000..b60545f --- /dev/null +++ b/roles/authelia/templates/docker-compose.yml.j2 @@ -0,0 +1,17 @@ +version: '3.3' + +services: + authelia: + image: authelia/authelia + container_name: authelia + volumes: + - ./authelia:/config + ports: + - 9091:9091 + restart: unless-stopped + redis: + image: redis:alpine + container_name: redis + volumes: + - ./redis:/data + restart: unless-stopped diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 80aad48..3e00e6f 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,5 +1,11 @@ --- +# set hostname +- name: Set a hostname specifying strategy + ansible.builtin.hostname: + name: "{{ inventory_hostname }}" + use: systemd + # docker - name: install dependencies apt: diff --git a/roles/nameservers/tasks/main.yml b/roles/nameservers/tasks/main.yml index d52a3b0..c781ae7 100644 --- a/roles/nameservers/tasks/main.yml +++ b/roles/nameservers/tasks/main.yml @@ -39,7 +39,8 @@ - name: flush dns cache on replicas file: path={{ item }} state=absent - with_fileglob: /var/cache/bind/db.* + with_fileglob: "/var/cache/bind/db.*" + when: inventory_hostname in groups['dnsreplica'] - name: restart bind9 service: diff --git a/roles/nameservers/templates/db.simponic.xyz.j2 b/roles/nameservers/templates/db.simponic.xyz.j2 index db3b70b..5861870 100644 --- a/roles/nameservers/templates/db.simponic.xyz.j2 +++ b/roles/nameservers/templates/db.simponic.xyz.j2 @@ -1,6 +1,6 @@ $TTL 604800 @ IN SOA {{ dns_primary_hostname }}.simponic.xyz. admin.simponic.xyz. ( - {{ ansible_date_time.epoch }} ; Serial + {{ ansible_date_time.epoch }} ; Serial 86400 ; Refresh 86400 ; Retry 2419200 ; Expire @@ -30,7 +30,7 @@ www.simponic.xyz. 1 IN CNAME simponic.xyz. s1._domainkey.simponic.xyz. 1 IN CNAME s1.domainkey.u25709709.wl210.sendgrid.net. s2._domainkey.simponic.xyz. 1 IN CNAME s2.domainkey.u25709709.wl210.sendgrid.net. headscale.simponic.xyz. 1 IN CNAME nijika.simponic.xyz. -authentik.simponic.xyz. 1 IN CNAME nijika.simponic.xyz. +authelia.simponic.xyz. 1 IN CNAME nijika.simponic.xyz. ;; MX Records simponic.xyz. 1 IN MX 10 mail.simponic.xyz. diff --git a/roles/vpn/files/config/config.yml b/roles/vpn/files/config/config.yml deleted file mode 100644 index 3942feb..0000000 --- a/roles/vpn/files/config/config.yml +++ /dev/null @@ -1,296 +0,0 @@ ---- -# headscale will look for a configuration file named `config.yaml` (or `config.json`) in the following order: -# -# - `/etc/headscale` -# - `~/.headscale` -# - current working directory - -# The url clients will connect to. -# Typically this will be a domain like: -# -# https://myheadscale.example.com:443 -# -server_url: https://headscale.simponic.xyz:443 - -# Address to listen to / bind to on the server -# -# For production: -# listen_addr: 0.0.0.0:8080 -listen_addr: 0.0.0.0:8080 - -# Address to listen to /metrics, you may want -# to keep this endpoint private to your internal -# network -# -metrics_listen_addr: 127.0.0.1:9090 - -# Address to listen for gRPC. -# gRPC is used for controlling a headscale server -# remotely with the CLI -# Note: Remote access _only_ works if you have -# valid certificates. -# -# For production: -# grpc_listen_addr: 0.0.0.0:50443 -grpc_listen_addr: 127.0.0.1:50443 - -# Allow the gRPC admin interface to run in INSECURE -# mode. This is not recommended as the traffic will -# be unencrypted. Only enable if you know what you -# are doing. -grpc_allow_insecure: false - -# The Noise section includes specific configuration for the -# TS2021 Noise protocol -noise: - # The Noise private key is used to encrypt the - # traffic between headscale and Tailscale clients when - # using the new Noise-based protocol. - private_key_path: /var/lib/headscale/noise_private.key - -private_key_path: /var/lib/headscale/private.key - -# List of IP prefixes to allocate tailaddresses from. -# Each prefix consists of either an IPv4 or IPv6 address, -# and the associated prefix length, delimited by a slash. -# It must be within IP ranges supported by the Tailscale -# client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48. -# See below: -# IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71 -# IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33 -# Any other range is NOT supported, and it will cause unexpected issues. -ip_prefixes: - - fd7a:115c:a1e0::/48 - - 100.64.0.0/10 - -# DERP is a relay system that Tailscale uses when a direct -# connection cannot be established. -# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp -# -# headscale needs a list of DERP servers that can be presented -# to the clients. -derp: - server: - # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config - # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place - enabled: false - - # Region ID to use for the embedded DERP server. - # The local DERP prevails if the region ID collides with other region ID coming from - # the regular DERP config. - region_id: 999 - - # Region code and name are displayed in the Tailscale UI to identify a DERP region - region_code: "headscale" - region_name: "Headscale Embedded DERP" - - # Listens over UDP at the configured address for STUN connections - to help with NAT traversal. - # When the embedded DERP server is enabled stun_listen_addr MUST be defined. - # - # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/ - stun_listen_addr: "0.0.0.0:3478" - - # Private key used to encrypt the traffic between headscale DERP - # and Tailscale clients. - # The private key file will be autogenerated if it's missing. - # - private_key_path: /var/lib/headscale/derp_server_private.key - - # List of externally available DERP maps encoded in JSON - urls: - - https://controlplane.tailscale.com/derpmap/default - - # Locally available DERP map files encoded in YAML - # - # This option is mostly interesting for people hosting - # their own DERP servers: - # https://tailscale.com/kb/1118/custom-derp-servers/ - # - # paths: - # - /etc/headscale/derp-example.yaml - paths: [] - - # If enabled, a worker will be set up to periodically - # refresh the given sources and update the derpmap - # will be set up. - auto_update_enabled: true - - # How often should we check for DERP updates? - update_frequency: 24h - -# Disables the automatic check for headscale updates on startup -disable_check_updates: false - -# Time before an inactive ephemeral node is deleted? -ephemeral_node_inactivity_timeout: 30m - -# Period to check for node updates within the tailnet. A value too low will severely affect -# CPU consumption of Headscale. A value too high (over 60s) will cause problems -# for the nodes, as they won't get updates or keep alive messages frequently enough. -# In case of doubts, do not touch the default 10s. -node_update_check_interval: 10s - -# SQLite config -db_type: sqlite3 - -# For production: -db_path: /var/lib/headscale/db.sqlite - -# # Postgres config -# If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank. -# db_type: postgres -# db_host: localhost -# db_port: 5432 -# db_name: headscale -# db_user: foo -# db_pass: bar - -# If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need -# in the 'db_ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1. -# db_ssl: false - -tls_cert_path: "" -tls_key_path: "" - -log: - # Output formatting for logs: text or json - format: text - level: info - -# Path to a file containg ACL policies. -# ACLs can be defined as YAML or HUJSON. -# https://tailscale.com/kb/1018/acls/ -acl_policy_path: "/etc/headscale/acl.yml" - -## DNS -# -# headscale supports Tailscale's DNS configuration and MagicDNS. -# Please have a look to their KB to better understand the concepts: -# -# - https://tailscale.com/kb/1054/dns/ -# - https://tailscale.com/kb/1081/magicdns/ -# - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/ -# -dns_config: - # Whether to prefer using Headscale provided DNS or use local. - override_local_dns: true - - # List of DNS servers to expose to clients. - nameservers: - - 1.1.1.1 - - # NextDNS (see https://tailscale.com/kb/1218/nextdns/). - # "abc123" is example NextDNS ID, replace with yours. - # - # With metadata sharing: - # nameservers: - # - https://dns.nextdns.io/abc123 - # - # Without metadata sharing: - # nameservers: - # - 2a07:a8c0::ab:c123 - # - 2a07:a8c1::ab:c123 - - # Split DNS (see https://tailscale.com/kb/1054/dns/), - # list of search domains and the DNS to query for each one. - # - # restricted_nameservers: - # foo.bar.com: - # - 1.1.1.1 - # darp.headscale.net: - # - 1.1.1.1 - # - 8.8.8.8 - - # Search domains to inject. - domains: ['simponic.xyz'] - - # Extra DNS records - # so far only A-records are supported (on the tailscale side) - # See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations - # extra_records: - # - name: "grafana.myvpn.example.com" - # type: "A" - # value: "100.64.0.3" - # - # # you can also put it in one line - # - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" } - - # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/). - # Only works if there is at least a nameserver defined. - magic_dns: true - - # Defines the base domain to create the hostnames for MagicDNS. - # `base_domain` must be a FQDNs, without the trailing dot. - # The FQDN of the hosts will be - # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_). - base_domain: headscale.simponic.xyz - -# Unix socket used for the CLI to connect without authentication -# Note: for production you will want to set this to something like: -unix_socket: /var/run/headscale/headscale.sock -unix_socket_permission: "0770" -# -# headscale supports experimental OpenID connect support, -# it is still being tested and might have some bugs, please -# help us test it. -# OpenID Connect -# oidc: -# only_start_if_oidc_is_available: true -# issuer: "https://your-oidc.issuer.com/path" -# client_id: "your-oidc-client-id" -# client_secret: "your-oidc-client-secret" -# # Alternatively, set `client_secret_path` to read the secret from the file. -# # It resolves environment variables, making integration to systemd's -# # `LoadCredential` straightforward: -# client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret" -# # client_secret and client_secret_path are mutually exclusive. -# -# # The amount of time from a node is authenticated with OpenID until it -# # expires and needs to reauthenticate. -# # Setting the value to "0" will mean no expiry. -# expiry: 180d -# -# # Use the expiry from the token received from OpenID when the user logged -# # in, this will typically lead to frequent need to reauthenticate and should -# # only been enabled if you know what you are doing. -# # Note: enabling this will cause `oidc.expiry` to be ignored. -# use_expiry_from_token: false -# -# # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query -# # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email". -# -# scope: ["openid", "profile", "email", "custom"] -# extra_params: -# domain_hint: example.com -# -# # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the -# # authentication request will be rejected. -# -# allowed_domains: -# - example.com -# # Note: Groups from keycloak have a leading '/' -# allowed_groups: -# - /headscale -# allowed_users: -# - alice@example.com -# -# # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed. -# # This will transform `first-name.last-name@example.com` to the user `first-name.last-name` -# # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following -# user: `first-name.last-name.example.com` -# -# strip_email_domain: true - -# Logtail configuration -# Logtail is Tailscales logging and auditing infrastructure, it allows the control panel -# to instruct tailscale nodes to log their activity to a remote server. -logtail: - # Enable logtail for this headscales clients. - # As there is currently no support for overriding the log server in headscale, this is - # disabled by default. Enabling this will make your clients send logs to Tailscale Inc. - enabled: false - -# Enabling this option makes devices prefer a random port for WireGuard traffic over the -# default static port 41641. This option is intended as a workaround for some buggy -# firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information. -randomize_client_port: false diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index 6ad0c57..60963f1 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -23,6 +23,14 @@ group: root mode: u=rw,g=r,o=r +- name: build headscale config template + template: + src: ../templates/config.yml.j2 + dest: /etc/docker/compose/headscale/config.yml + owner: root + group: root + mode: u=rw,g=r,o=r + - name: ensure headscale data volume exist file: path: /etc/docker/compose/headscale/data @@ -31,12 +39,6 @@ group: root mode: 0700 -- name: ensure headscale users - shell: | - docker exec headscale headscale user create "{{ item }}" - with_items: - - "{{ headscale_users }}" - - name: daemon-reload and enable headscale ansible.builtin.systemd_service: state: restarted diff --git a/roles/vpn/templates/config.yml.j2 b/roles/vpn/templates/config.yml.j2 new file mode 100644 index 0000000..926a84f --- /dev/null +++ b/roles/vpn/templates/config.yml.j2 @@ -0,0 +1,288 @@ +--- +# headscale will look for a configuration file named `config.yaml` (or `config.json`) in the following order: +# +# - `/etc/headscale` +# - `~/.headscale` +# - current working directory + +# The url clients will connect to. +# Typically this will be a domain like: +# +# https://myheadscale.example.com:443 +# +server_url: https://headscale.simponic.xyz:443 + +# Address to listen to / bind to on the server +# +# For production: +# listen_addr: 0.0.0.0:8080 +listen_addr: 0.0.0.0:8080 + +# Address to listen to /metrics, you may want +# to keep this endpoint private to your internal +# network +# +metrics_listen_addr: 127.0.0.1:9090 + +# Address to listen for gRPC. +# gRPC is used for controlling a headscale server +# remotely with the CLI +# Note: Remote access _only_ works if you have +# valid certificates. +# +# For production: +# grpc_listen_addr: 0.0.0.0:50443 +grpc_listen_addr: 127.0.0.1:50443 + +# Allow the gRPC admin interface to run in INSECURE +# mode. This is not recommended as the traffic will +# be unencrypted. Only enable if you know what you +# are doing. +grpc_allow_insecure: false + +# The Noise section includes specific configuration for the +# TS2021 Noise protocol +noise: + # The Noise private key is used to encrypt the + # traffic between headscale and Tailscale clients when + # using the new Noise-based protocol. + private_key_path: /var/lib/headscale/noise_private.key + +private_key_path: /var/lib/headscale/private.key + +# List of IP prefixes to allocate tailaddresses from. +# Each prefix consists of either an IPv4 or IPv6 address, +# and the associated prefix length, delimited by a slash. +# It must be within IP ranges supported by the Tailscale +# client - i.e., subnets of 100.64.0.0/10 and fd7a:115c:a1e0::/48. +# See below: +# IPv6: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#LL81C52-L81C71 +# IPv4: https://github.com/tailscale/tailscale/blob/22ebb25e833264f58d7c3f534a8b166894a89536/net/tsaddr/tsaddr.go#L33 +# Any other range is NOT supported, and it will cause unexpected issues. +ip_prefixes: + - fd7a:115c:a1e0::/48 + - 100.64.0.0/10 + +# DERP is a relay system that Tailscale uses when a direct +# connection cannot be established. +# https://tailscale.com/blog/how-tailscale-works/#encrypted-tcp-relays-derp +# +# headscale needs a list of DERP servers that can be presented +# to the clients. +derp: + server: + # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config + # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place + enabled: false + + # Region ID to use for the embedded DERP server. + # The local DERP prevails if the region ID collides with other region ID coming from + # the regular DERP config. + region_id: 999 + + # Region code and name are displayed in the Tailscale UI to identify a DERP region + region_code: "headscale" + region_name: "Headscale Embedded DERP" + + # Listens over UDP at the configured address for STUN connections - to help with NAT traversal. + # When the embedded DERP server is enabled stun_listen_addr MUST be defined. + # + # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/ + stun_listen_addr: "0.0.0.0:3478" + + # Private key used to encrypt the traffic between headscale DERP + # and Tailscale clients. + # The private key file will be autogenerated if it's missing. + # + private_key_path: /var/lib/headscale/derp_server_private.key + + # List of externally available DERP maps encoded in JSON + urls: + - https://controlplane.tailscale.com/derpmap/default + + # Locally available DERP map files encoded in YAML + # + # This option is mostly interesting for people hosting + # their own DERP servers: + # https://tailscale.com/kb/1118/custom-derp-servers/ + # + # paths: + # - /etc/headscale/derp-example.yaml + paths: [] + + # If enabled, a worker will be set up to periodically + # refresh the given sources and update the derpmap + # will be set up. + auto_update_enabled: true + + # How often should we check for DERP updates? + update_frequency: 24h + +# Disables the automatic check for headscale updates on startup +disable_check_updates: false + +# Time before an inactive ephemeral node is deleted? +ephemeral_node_inactivity_timeout: 30m + +# Period to check for node updates within the tailnet. A value too low will severely affect +# CPU consumption of Headscale. A value too high (over 60s) will cause problems +# for the nodes, as they won't get updates or keep alive messages frequently enough. +# In case of doubts, do not touch the default 10s. +node_update_check_interval: 10s + +# SQLite config +db_type: sqlite3 + +# For production: +db_path: /var/lib/headscale/db.sqlite + +# # Postgres config +# If using a Unix socket to connect to Postgres, set the socket path in the 'host' field and leave 'port' blank. +# db_type: postgres +# db_host: localhost +# db_port: 5432 +# db_name: headscale +# db_user: foo +# db_pass: bar + +# If other 'sslmode' is required instead of 'require(true)' and 'disabled(false)', set the 'sslmode' you need +# in the 'db_ssl' field. Refers to https://www.postgresql.org/docs/current/libpq-ssl.html Table 34.1. +# db_ssl: false + +tls_cert_path: "" +tls_key_path: "" + +log: + # Output formatting for logs: text or json + format: text + level: info + +# Path to a file containg ACL policies. +# ACLs can be defined as YAML or HUJSON. +# https://tailscale.com/kb/1018/acls/ +acl_policy_path: "/etc/headscale/acl.yml" + +## DNS +# +# headscale supports Tailscale's DNS configuration and MagicDNS. +# Please have a look to their KB to better understand the concepts: +# +# - https://tailscale.com/kb/1054/dns/ +# - https://tailscale.com/kb/1081/magicdns/ +# - https://tailscale.com/blog/2021-09-private-dns-with-magicdns/ +# +dns_config: + # Whether to prefer using Headscale provided DNS or use local. + override_local_dns: true + + # List of DNS servers to expose to clients. + nameservers: + - 1.1.1.1 + + # NextDNS (see https://tailscale.com/kb/1218/nextdns/). + # "abc123" is example NextDNS ID, replace with yours. + # + # With metadata sharing: + # nameservers: + # - https://dns.nextdns.io/abc123 + # + # Without metadata sharing: + # nameservers: + # - 2a07:a8c0::ab:c123 + # - 2a07:a8c1::ab:c123 + + # Split DNS (see https://tailscale.com/kb/1054/dns/), + # list of search domains and the DNS to query for each one. + # + # restricted_nameservers: + # foo.bar.com: + # - 1.1.1.1 + # darp.headscale.net: + # - 1.1.1.1 + # - 8.8.8.8 + + # Search domains to inject. + domains: ['simponic.xyz'] + + # Extra DNS records + # so far only A-records are supported (on the tailscale side) + # See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations + # extra_records: + # - name: "grafana.myvpn.example.com" + # type: "A" + # value: "100.64.0.3" + # + # # you can also put it in one line + # - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" } + + # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/). + # Only works if there is at least a nameserver defined. + magic_dns: true + + # Defines the base domain to create the hostnames for MagicDNS. + # `base_domain` must be a FQDNs, without the trailing dot. + # The FQDN of the hosts will be + # `hostname.user.base_domain` (e.g., _myhost.myuser.example.com_). + base_domain: headscale.simponic.xyz + +# Unix socket used for the CLI to connect without authentication +# Note: for production you will want to set this to something like: +unix_socket: /var/run/headscale/headscale.sock +unix_socket_permission: "0770" +# +# headscale supports experimental OpenID connect support, +# it is still being tested and might have some bugs, please +# help us test it. +# OpenID Connect +oidc: + # Block further startup until the OIDC provider is healthy and available + only_start_if_oidc_is_available: true + # Specified by your OIDC provider + issuer: "https://authelia.simponic.xyz" + # Specified/generated by your OIDC provider + client_id: "simponicheadscale" + client_secret: "{{ headscale_oidc_secret }}" + # alternatively, set `client_secret_path` to read the secret from the file. + # It resolves environment variables, making integration to systemd's + # `LoadCredential` straightforward: + #client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret" + + # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query + # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email". + scope: ["openid", "profile", "email"] + # Optional: Passed on to the browser login request – used to tweak behaviour for the OIDC provider + extra_params: + domain_hint: simponic.xyz + + # Optional: List allowed principal domains and/or users. If an authenticated user's domain is not in this list, + # the authentication request will be rejected. + allowed_domains: + - simponic.xyz + # Optional. Note that groups from Keycloak have a leading '/'. + # allowed_groups: + # - /admins + # - admins + # - people + # Optional. + allowed_users: + - "{{ headscale_allowed_users }}" + + # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed. + # This will transform `first-name.last-name@example.com` to the user `first-name.last-name` + # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following + # user: `first-name.last-name.example.com` + strip_email_domain: true + +# Logtail configuration +# Logtail is Tailscales logging and auditing infrastructure, it allows the control panel +# to instruct tailscale nodes to log their activity to a remote server. +logtail: + # Enable logtail for this headscales clients. + # As there is currently no support for overriding the log server in headscale, this is + # disabled by default. Enabling this will make your clients send logs to Tailscale Inc. + enabled: false + +# Enabling this option makes devices prefer a random port for WireGuard traffic over the +# default static port 41641. This option is intended as a workaround for some buggy +# firewall devices. See https://tailscale.com/kb/1181/firewalls/ for more information. +randomize_client_port: false diff --git a/roles/webservers/files/nginx.conf b/roles/webservers/files/nginx.conf index 6ddd8ab..4d8402d 100644 --- a/roles/webservers/files/nginx.conf +++ b/roles/webservers/files/nginx.conf @@ -1,6 +1,8 @@ user www-data; worker_processes 4; pid /run/nginx.pid; +load_module modules/ndk_http_module.so; +load_module modules/ngx_http_set_misc_module.so; events { worker_connections 768; diff --git a/roles/webservers/files/nijika/http.authelia.simponic.xyz.conf b/roles/webservers/files/nijika/http.authelia.simponic.xyz.conf new file mode 100644 index 0000000..e57fbc6 --- /dev/null +++ b/roles/webservers/files/nijika/http.authelia.simponic.xyz.conf @@ -0,0 +1,13 @@ +server { + listen 80; + server_name authelia.simponic.xyz; + + location /.well-known/acme-challenge { + root /var/www/letsencrypt; + try_files $uri $uri/ =404; + } + + location / { + rewrite ^ https://authelia.simponic.xyz$request_uri? permanent; + } +} diff --git a/roles/webservers/files/nijika/http.headscale.simponic.xyz.conf b/roles/webservers/files/nijika/http.headscale.simponic.xyz.conf index 7bfaf44..32b80b0 100644 --- a/roles/webservers/files/nijika/http.headscale.simponic.xyz.conf +++ b/roles/webservers/files/nijika/http.headscale.simponic.xyz.conf @@ -1,7 +1,5 @@ -server_tokens off; - server { - listen 80 default_server; + listen 80; server_name headscale.simponic.xyz; location /.well-known/acme-challenge { diff --git a/roles/webservers/files/nijika/https.authelia.simponic.xyz.conf b/roles/webservers/files/nijika/https.authelia.simponic.xyz.conf new file mode 100644 index 0000000..7034b0b --- /dev/null +++ b/roles/webservers/files/nijika/https.authelia.simponic.xyz.conf @@ -0,0 +1,57 @@ +server { + listen 443 ssl; + server_name authelia.simponic.xyz; + + ssl_certificate /etc/letsencrypt/live/authelia.simponic.xyz/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/authelia.simponic.xyz/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/authelia.simponic.xyz/fullchain.pem; + + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 5m; + ssl_stapling on; + ssl_stapling_verify on; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + + ssl_dhparam /etc/nginx/dhparams.pem; + ssl_prefer_server_ciphers on; + + location / { + proxy_pass http://127.0.0.1:9091; + + client_body_buffer_size 128k; + + #Timeout if the real server is dead + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + + # Advanced Proxy Config + send_timeout 5m; + proxy_read_timeout 360; + proxy_send_timeout 360; + proxy_connect_timeout 360; + + # Basic Proxy Config + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-Ssl on; + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 64 256k; + + # If behind reverse proxy, forwards the correct IP + set_real_ip_from 10.0.0.0/8; + set_real_ip_from 172.0.0.0/8; + set_real_ip_from 192.168.0.0/16; + set_real_ip_from fc00::/7; + real_ip_header X-Forwarded-For; + real_ip_recursive on; + } +} diff --git a/roles/webservers/tasks/main.yml b/roles/webservers/tasks/main.yml index 03fba22..fccd34e 100644 --- a/roles/webservers/tasks/main.yml +++ b/roles/webservers/tasks/main.yml @@ -17,6 +17,9 @@ - name: install nginx apt: name=nginx state=latest +- name: install libnginx-mod-http-set-misc + apt: name=libnginx-mod-http-set-misc state=latest + - name: install letsencrypt apt: name=letsencrypt state=latest -- cgit v1.2.3-70-g09d2